Gozi Trojan Becomes Dark Cloud Botnet

The widely distributed Gozi ISFB banking Trojan has a new trick up its sleeve; it has been making use of the evasive Dark Cloud botnet for distribution in a series of recent campaigns. According to information security experts from Cisco Talos intelligence, the campaigns started during the fourth quarter of 2017 and have continued into 2018, with new campaigns being launched every week. They’re relatively low volume and targeted to specific organizations, and some of the mails are even localized.

“They do not appear to send large amounts of spam messages to the organizations being targeted, instead choosing to stay under the radar while putting extra effort into the creation of convincing emails, in an attempt to evade detection while maximizing the likelihood that the victim will open the attached files,” information security training researchers said in a blog.

The emails are crafted to look like part of an existing email thread, likely in an attempt to convince the victim of their legitimacy. To do this, the attackers create additional email subjects and accompanying bodies, included as “replies” with the malicious email. Out of the more than 100 malicious Word documents analyzed from the campaign, the vast majority of them are individualized.

“This is not something that is typically seen in most malicious email campaigns, and shows the level of effort the attackers put into making the emails seem legitimate to maximize the likelihood that the victim would open the attached file”, information security training researchers said.

The use of the Dark Cloud infrastructure lets attackers quickly move to new domains and IP addresses, not only for each campaign but also for individual emails that are part of the same campaign. The continuous use of these so-called fast-flux techniques means that attackers can make use of an extensive network of proxies, continuously changing the address of the IP being used to handle communications to the web servers the attacker controls. Overall, Talos observed that the time-to-live (TTL) value for DNS records associated with domains used in these malware campaigns were typically set to 150, allowing the attackers to issue DNS record updates every three minutes.

In terms of geographic distribution, the information security professionals discovered that the attackers appear to be actively avoiding using proxies and hosts located in Western Europe, Central Europe and North America; the majority of the systems analyzed were located in Eastern Europe, Asia and the Middle East.

Additional, Gozi isn’t the only one looking to Dark Cloud for distribution. “We identified a significant amount of malicious activity making use of this same infrastructure, including Gozi ISFB distribution, Nymaim command and control, and a variety of different spam campaigns and scam activity,” the information security training researchers said.